From owner-freebsd-security Mon Feb 3 20:06:17 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA15007 for security-outgoing; Mon, 3 Feb 1997 20:06:17 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA14993 for ; Mon, 3 Feb 1997 20:06:09 -0800 (PST) From: tenser@spitfire.ecsel.psu.edu Received: (qmail 1017 invoked by uid 1000); 4 Feb 1997 04:06:01 -0000 Date: 4 Feb 1997 04:06:01 -0000 Message-ID: <19970204040601.1016.qmail@spitfire.ecsel.psu.edu> To: security@freebsd.org cc: tqbf@enteract.com, bugtraq@netspace.org Subject: Patches for 2.1.6-RELEASE locale stuff... Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I took another look at the locale code for 2.1.6-RELEASE (availible in /usr/src/lib/libc/locale), and tried to go though everything and look for buffer overrun type stuff. Here is a set of patches for the four files I modified. I don't guarantee that this takes care of all possible locale security problems, but it's a start for the folks who are going to presumably issue an advisory and official patch at some point in the future. These patched source files at least compile on my 386 running 2.1.6. Any errors I might have made, I attribute to lack of sleep over the last few days. :-) (Note, just to clarify: My first patch should have thwarted the startup locale processing bug. These patches are for other buffer overrun problems in the locale stuff in the C library. That first patch is also included here for convenience.) - Dan C. ----- Begin 2.1.6-locale.diff *** collate.c 1997/02/04 02:49:05 1.1 --- collate.c 1997/02/04 02:54:58 *************** *** 66,75 **** return -1; if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; ! strcpy(buf, path_locale); ! strcat(buf, "/"); ! strcat(buf, encoding); ! strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) return -1; FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp); --- 66,73 ---- return -1; if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; ! (void)snprintf(buf, ! PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding); if ((fp = fopen(buf, "r")) == NULL) return -1; FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp); *** rune.c 1997/02/04 03:18:28 1.1 --- rune.c 1997/02/04 03:19:21 *************** *** 74,83 **** if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 74,81 ---- if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; ! (void)snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); *** setlocale.c 1997/02/04 03:22:26 1.1 --- setlocale.c 1997/02/04 03:22:54 *************** *** 198,201 **** --- 198,203 ---- case LC_NUMERIC: return (NULL); } + + return(NULL); /* 2.2 has this with the comment, ``Just in Case'' */ } *** startup_setlocale.c 1997/02/03 07:40:46 1.1 --- startup_setlocale.c 1997/02/03 07:41:47 *************** *** 174,183 **** return(0); } ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 174,181 ---- return(0); } ! (void) snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End 2.1.6-locale.diff